How to Justify Important IT Security Initiatives to Business Leaders

Joel Snyder, Ph.D., is a senior IT consultant with 30 years of practice. An internationally recognized expert in the areas of security, messaging and networks, Dr. Snyder is a popular speaker and author and is known for his unbiased and comprehensive tests of security and networking products. His clients include major organizations on six continents.

To avoid possible disastrous outcomes, it’s critical that IT leaders become well versed in how to both determine and communicate the business value of security to upper management.

If they do not, they might find their business has underfunded security ­initiatives or, even more dire, “shadow IT” programs that undermine the company’s ability to protect its information assets.

But it need not come to that. Here’s a four-step approach to help make sure that everyone in the organization understands IT security requirements and also the investments needed to achieve them.

1. Prioritize Appropriately

IT teams and business executives have many reasons for throwing their weight behind security investments — many of them not wisely justified. IT staff members might be attracted to products and projects for the wrong reasons. Thoughts such as “this would be fun to learn about” or “it would be great to have this on my CV” are not valid spending justifications — nor by itself is an especially convincing salesperson, website, YouTube video or onsite demonstration.

Yet, surprisingly, these and similar notions often drive security initiatives. Executives can be equally off base if they lack adequate detailed investment strategies from their own IT staffs and so look to uninvolved third-party recommendations: “Gartner says this is a good idea,” or “That product is highly rated by SC Magazine.”

In fact, there is only one reason to push forward with a security initiative: because it is the best use of scarce ­resources and will help protect ­corporate assets. The IT team and executives all know this, but in the frenzy of daily operations, they may sometimes find it difficult to apply a structured approach to rationalizing investments — an approach that must begin with prioritizing risk against available funding.

All successful projects begin with a clear statement of priorities and business-grounded reasons to show why a project deserves time and money.

2. Use a Risk-Based Approach

No one knows the limits of what may happen, but every company still must make decisions. The key here is evaluating risk and using it as a weighting factor in prioritization.

Just be careful when undertaking this exercise. In recent years, security strategists have gone overboard with formulas that try to quantify risk. Each organization still must evaluate its unique data, not just plug information into a premade model. These package formulas should be viewed as a starting point for the IT team to build out its own risk investment model.

A typical exercise requires the IT manager to enumerate organizational assets, assign values, identify threats, determine likelihoods, pinpoint solutions, approximate effectiveness and do multiplication and subtraction. Most IT managers are comfortable with the last steps (the arithmetic) but the rest of the formula can lead to wild speculation.

The answer is to focus on what’s known, rather than what can only be guessed. Hardly anyone has the luxury of starting with a clean slate, which is why making risk analyses based on known information is the best strategy.

By putting risk analysis into the most concrete terms possible, IT ­officials and company executives will feel comfortable comparing investment proposals and their associated risks, and then ultimately defining the business case for one security investment strategy over another.

3. Data, Data, Data

There is no substitute for live information. IT teams are inundated with data — there are few pieces of equipment and software that don’t generate more logging information than can possibly be digested. Therefore, identifying relevant data to support a risk analysis is rarely difficult.

Tools such as intrusion detection systems, patch managers, malware scanners and log analyzers can help determine where security problems already exist in an organization. System logs from Windows and Unix servers, and from application servers such as web and database servers, can provide excellent supporting evidence for many security investment decisions. Firewall logs, in particular, are a gold mine for data on information flows within and outside an organization.

Collecting and assessing network and system data takes time and effort. To obtain the sought-after information effectively might even require setting a spare firewall, data loss prevention or intrusion prevention system, or NetFlow analyzer to “monitor” mode to gather data points.

These exercises are worth the effort because hard facts make the most ­compelling case for security investments.

4. Establish a Continuous Metrics Program

Once a project is completed, the IT team still needs to continuously evaluate it. Not all security investments prove successful, and changes in the technology and business environments might affect security.

If the results from an effort aren’t stellar, it’s time to admit mistakes and move on. Some investments start with a huge benefit and taper down; others are failures from the beginning. There are a lot of reasons for this. How a project was implemented in your organization may be the culprit.

Meanwhile, security and threat ecosystems change, and so do organizations. The key isn’t finding fault but setting into place measurable indicators and reporting on those indicators, and then making adjustments as needed. As part of any investment proposal, it’s critical to indicate how the company will measure success and then rigorously use those measurements to either continue investments or prune the portfolio.

Credibility is key, and there’s nothing like solid data to bolster credibility. An annual report demonstrating which security investments are paying off — and which are off — is a great way to gain the respect of senior executives and their support for future projects.

Breach Notifications Tell a Story

The Online Trust Alliance estimates that 740 million online records were exposed in 2013, making it the worst year in history for Internet security. That makes big headlines, but it’s always the subsequent incident analyses that are much more valuable to IT managers.

Are the teams running IT security that ineffectual? Or do executives refuse to prioritize and fund security adequately? Often, the real answers remain unknown, because once the headlines die down and the CIOs fire their staff (or resign) and the finger pointing ends, public information tends to dry up.

The most plausible explanation usually isn’t incompetence, but rather systemic failures: IT failing to properly communicate and prioritize risk upward, and executives failing to demand data-based risk analysis to assure them that the organization’s information assets are secure.

Well-considered strategies for evaluating risk in light of available resources can help improve communications between technical security teams and organizational managers, put security investments into the financial terms that help managers prioritize resources, and increase credibility of technical teams by providing solid reporting strategies for existing investments.